Please have a read of my article and see if anything fits your circumstances:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Thanks for replying. The sending addresses are random or often and invalid username at our domain. I have turned on the diagnostic logging as requested and will monitor. Incidently I forgot to mention in my question that we already disabled all unused accounts and reset the password of all active accounts.

Okay - if SMTP is blocked in / out from anyone but Postini, then you sound like you have a virus infected computer locally or remotely and the remote computer could be using RPC over HTTPS and sending it's mail securely to your server.

If you're receiving messages that are for users who do not exist in your gal then you may not have recipient filtering turned on. I have used postini in the past and still had similar issues like the one your describing.

I would go through verify that you have E2k3's anti-spam filtering turned on and running.
people often over look that beucase they have a 3rd party filter service.

@castellansolutions - This is not an inbound mail issue - it is an outbound mail issue. If messages were being sent to invalid users and recipient filtering was not enabled, the messages in the queue would be from Postmaster, not random internal users. If the messages were from random users not on the domain, then the problem would be an Authenticated Relay attack - it's as simple as that.

The messages in the queue are from random users and the internal domain, so this could be an authenticated relay attack or it could be an internal infection or an external infection with users sending via an authenticated username / password or via RPC over HTTPS.

If the senders are random users not on the domain - that means an authenticated relay attack.

If the senders are invaliduser@localdomain then that would also indicate an authenticated relay attack.

What is clear, is that the attack is either authenticated or from an internal source (which can include external SMTP authenticated users or RPC over HTTPS users) or a locally infected computer sending out via Exchange, which is unusual, but not impossible.

What it isn't is external spam sent to invalid recipients because the senders would be postmaster sending back NDR messages to spoofed addresses.

To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow >> Rules tab.: To cr…